ESET Mail Security 4. for Microsoft Exchange Server Version 4.3. Installation Manual and User Guide. Microsoft Windows Server 2000 / 2003 / 2008

(1)

ESET

Mail Security 4

for Microsoft Exchange Server

Version 4.3

Installation Manual and User Guide

Microsoft® Windows® Server 2000 / 2003 / 2008

(2)

ESET

Mail Security 4

All rights reserved. No part of this documentation may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise without permission in writing from the author.

ESET, spol. s r.o. reserves the right to change any of the described application software without prior notice.

(3)

...5

Introduction

1.

...5 What's new in version 4.3 ?

1.1 ...5 System requirements 1.2 ...6 Methods used 1.3 ...6 Mailbox scanning via VSAPI

1.3.1

...6 Message filtering on the SMTP server level

1.3.2 ...6 Types of protection 1.4 ...6 Antivirus protection 1.4.1 ...6 Antispam protection 1.4.2 ...7 Application of user-defined rules

1.4.3 ...7 User interface 1.5

...8

Installation

2.

...8 Typical Installation 2.1 ...9 Custom Installation 2.2 ...11 Terminal Server 2.3 ...11 Upgrading to a newer version

2.4

...12 Installation in a clustered environment

2.5 ...13 License 2.6 ...15 Post-Installation Configuration 2.7

...18

ESET Mail Security - Microsoft Exchange

Server protection

3.

...18 General settings 3.1 ...18 Microsoft Exchange Server

3.1.1

...18 VSAPI (Virus-Scanning Application Programming Interface) 3.1.1.1 ...18 Transport Agent 3.1.1.2 ...19 Rules 3.1.2 ...20 Adding new rules

3.1.2.1

...21 Actions taken when applying rules

3.1.2.2 ...22 Log files 3.1.3 ...23 Message quarantine 3.1.4 ...24 Adding a new quarantine rule

3.1.4.1

...24 Performance

3.1.5

...25 Antivirus and antispyware settings

3.2

...25 Microsoft Exchange Server

3.2.1

...26 Virus-Scanning Application Programming Interface (VSAPI)

3.2.1.1

...26 Microsoft Exchange Server 5.5 (VSAPI 1.0)

3.2.1.1.1 ...26 Actions 3.2.1.1.1.1 ...26 Performance 3.2.1.1.1.2 ...26 Microsoft Exchange Server 2000 (VSAPI 2.0)

3.2.1.1.2 ...27 Actions 3.2.1.1.2.1 ...27 Performance 3.2.1.1.2.2 ...28 Microsoft Exchange Server 2003 (VSAPI 2.5)

3.2.1.1.3 ...28 Actions 3.2.1.1.3.1 ...29 Performance 3.2.1.1.3.2 ...29 Microsoft Exchange Server 2007/2010 (VSAPI 2.6)

3.2.1.1.4 ...30 Actions 3.2.1.1.4.1 ...30 Performance 3.2.1.1.4.2 ...31 Transport Agent 3.2.1.1.5 ...32 Actions 3.2.2 ...32 Alerts and notifications

3.2.3 ...33 Automatic exclusions 3.2.4 ...34 Antispam protection 3.3 ...35 Microsoft Exchange Server

3.3.1 ...35 Transport Agent 3.3.1.1 ...36 Antispam engine 3.3.2 ...37 Antispam engine parameter setup

3.3.2.1

...39 Configuration file

3.3.2.1.1

...42 Alerts and notifications

3.3.3

...42 FAQ

3.4

...45

ESET Mail Security - Server protection

4.

...45 Antivirus and antispyware protection

4.1

...45 Real-time file system protection

4.1.1 ...45 Control setup 4.1.1.1 ...46 Media to scan 4.1.1.1.1 ...46 Scan on (Event-triggered scanning)

4.1.1.1.2

...46 Advanced scan options

4.1.1.1.3

...46 Cleaning levels

4.1.1.2

...47 When to modify real-time protection configuration

4.1.1.3

...47 Checking real-time protection

4.1.1.4

...48 What to do if real-time protection does not work

4.1.1.5

...48 Email client protection

4.1.2 ...49 POP3 checking 4.1.2.1 ...49 Compatibility 4.1.2.1.1 ...50 Integration with email clients

4.1.2.2

...51 Appending tag messages to email body

4.1.2.2.1

...51 Removing infiltrations

4.1.2.3

...52 Web access protection

4.1.3 ...53 HTTP, HTTPs 4.1.3.1 ...54 Address management 4.1.3.1.1 ...55 Active mode 4.1.3.1.2 ...56 On-demand computer scan

4.1.4 ...57 Type of scan 4.1.4.1 ...57 Smart scan 4.1.4.1.1 ...57 Custom scan 4.1.4.1.2 ...58 Scan targets 4.1.4.2 ...58 Scan profiles 4.1.4.3 ...59 Performance 4.1.5 ...59 Protocol filtering 4.1.6 ...59 SSL 4.1.6.1 ...60 Trusted certificates 4.1.6.1.1 ...60 Excluded certificates 4.1.6.1.2 ...60 ThreatSense engine parameters setup

4.1.7 ...61 Objects setup 4.1.7.1 ...61 Options 4.1.7.2 ...62 Cleaning 4.1.7.3 ...63 Extensions 4.1.7.4 ...63 Limits 4.1.7.5 ...64 Other 4.1.7.6 ...64 An infiltration is detected 4.1.8 ...65 Updating the program

4.2 ...67 Update setup 4.2.1 ...68 Update profiles 4.2.1.1 ...68 Advanced update setup

4.2.1.2 ...69 Update mode 4.2.1.2.1 ...70 Proxy server 4.2.1.2.2 ...72 Connecting to the LAN

4.2.1.2.3

...73 Creating update copies - Mirror

4.2.1.2.4

...74 Updating from the Mirror

4.2.1.2.4.1

...75 Troubleshooting Mirror update problems

4.2.1.2.4.2

...75 How to create update tasks

4.2.2

...76 Scheduler

4.3

...77 Purpose of scheduling tasks

4.3.1

...77 Creating new tasks

4.3.2 ...78 Quarantine 4.4 ...78 Quarantining files 4.4.1 ...78 Restoring from Quarantine

4.4.2

...79 Submitting file from Quarantine

4.4.3 ...80 Log files 4.5 ...84 Log filtering 4.5.1 ...85 Find in log 4.5.2 ...87 Log maintenance 4.5.3 ...88 ESET SysInspector 4.6 ...88 Introduction to ESET SysInspector

4.6.1

...88 Starting ESET SysInspector

(4)

...88 User Interface and application usage

4.6.2

...89 Program Controls

4.6.2.1

...89 Navigating in ESET SysInspector

4.6.2.2

...90 Compare

4.6.2.3

...91 Command line parameters

4.6.3

...91 Service Script

4.6.4

...92 Generating Service script

4.6.4.1

...92 Structure of the Service script

4.6.4.2

...93 Executing Service scripts

4.6.4.3 ...94 Shortcuts 4.6.5 ...95 System requirements 4.6.6 ...95 FAQ 4.6.7 ...96 SysInspector as part of ESET Mail Security

4.6.8 ...96 ESET SysRescue 4.7 ...97 Minimun requirements 4.7.1 ...97 How to create rescue CD

4.7.2 ...97 Folders 4.7.2.1 ...97 ESET Antivirus 4.7.2.2 ...98 Advanced settings 4.7.2.3 ...98 Bootable USB device

4.7.2.4

...98 Burn

4.7.2.5

...98 Working with ESET SysRescue

4.7.3

...98 Using ESET SysRescue

4.7.3.1

...99 User interface options

4.8

...100 Alerts and notifications

4.8.1

...101 Disable GUI on Terminal Server

4.8.2

...102 Command Line

4.9

...103 Import and export settings

4.10 ...103 ThreatSense.Net 4.11 ...105 Suspicious files 4.11.1 ...106 Statistics 4.11.2 ...107 Submission 4.11.3 ...108 Remote administration 4.12 ...109 Licenses 4.13

...110

Glossary

5.

...110 Types of infiltration 5.1 ...110 Viruses 5.1.1 ...110 Worms 5.1.2 ...111 Trojan horses 5.1.3 ...111 Rootkits 5.1.4 ...111 Adware 5.1.5 ...112 Spyware 5.1.6 ...112 Potentially unsafe applications

5.1.7

...112 Potentially unwanted applications

5.1.8 ...113 Email 5.2 ...113 Advertisements 5.2.1 ...113 Hoaxes 5.2.2 ...114 Phishing 5.2.3 ...114 Recognizing spam scams

(5)

1. Introduction

ESET Mail Security 4 for Microsoft Exchange Server is an integrated solution that protects mailboxes from various types of malware content including email attachments infected by worms or trojans, documents containing harmful scripts, phishing and spam. ESET Mail Security provides three types of protection: Antivirus, Antispam and the application of user-defined rules. ESET Mail Security filters the malicious content at the mail server level, before it arrives in the recipient's email client inbox.

ESET Mail Security supports Microsoft Exchange Server versions 5.5 and later, as well as Microsoft Exchange Server in a cluster environment. In newer versions (Microsoft Exchange Server 2007 and later), specific roles (mailbox, hub, edge) are also supported. You can remotely manage ESET Mail Security in larger networks with the help of ESET Remote Administrator.

While providing Microsoft Exchange Server protection, ESET Mail Security also has tools to ensure protection of the server itself (resident protection, web-access protection, email client protection and antispam).

1.1 What's new in version 4.3 ?

Compared with ESET Mail Security version 4.2 the following novelties and improvements have been introduced in the version 4.3:

New logs for Antispam and Greylisting added - both include detailed information on messages processed by the Antispam or Greylisting protection. The Antispam log includes also detailed reasons for classifying messages as SPAM.

Automatic exclusions - Increase overall stability and smooth operation of the server. Defining whole sets of exclusions from scanning by antivirus protection for specific server application and operating system files is now just one click away.

Message categorization by spam score value - Administrators can now specify spam score ranges to customize which messages will be categorized as spam, in order to fine-tune antispam filtering.

Merging of licenses - ESET Mail Security allows you to use several licenses and by that expand the number of protected mailboxes.

1.2 System requirements

Supported Operating Systems: Microsoft Windows 2000 Server

Microsoft Windows Server 2003 (x86 and x64) Microsoft Windows Server 2008 (x86 and x64) Microsoft Windows Server 2008 R2

Microsoft Windows Small Business Server 2003 (x86) Microsoft Windows Small Business Server 2003 R2 (x86) Microsoft Windows Small Business Server 2008 (x64) Microsoft Windows Small Business Server 2011 (x64) Supported Microsoft Exchange Server versions:

Microsoft Exchange Server 5.5 SP3, SP4 Microsoft Exchange Server 2000 SP1, SP2, SP3 Microsoft Exchange Server 2003 SP1, SP2 Microsoft Exchange Server 2007 SP1, SP2, SP3 Microsoft Exchange Server 2010 SP1

(6)

on hardware requirements.

1.3 Methods used

Two independent methods are used to scan email messages: Mailbox scanning via VSAPI

Message filtering on the SMTP server level

1.3.1 Mailbox scanning via VSAPI

The mailbox scanning process is triggered and controlled by the Microsoft Exchange Server. Emails in the Microsoft Exchange Server store database are scanned continuously. Depending on the version of Microsoft Exchange Server, the VSAPI interface version and the user-defined settings, the scanning process can be triggered in any of the following situations:

When the user accesses email, e.g. in an email client (email is always scanned with the latest virus signature database)

In the background, when use of the Microsoft Exchange Server is low Proactively (based on the Microsoft Exchange Server’s inner algorithm)

The VSAPI interface is currently used for antivirus scan and rule-based protection.

1.3.2 Message filtering on the SMTP server level

SMTP server-level filtering is secured by a specialized plugin. In Microsoft Exchange Server 2000 and 2003, the plugin in question (Event Sink) is registered on the SMTP server as a part of Internet Information Services (IIS). In Microsoft Exchange Server 2007/2010, the plugin is registered as a transport agent on the Edge or the Hub roles of the Microsoft Exchange Server.

SMTP server-level filtering by a transport agent provides protection in the form of antivirus, antispam and user-defined rules. As opposed to VSAPI filtering, the SMTP server-level filtering is performed before the scanned email arrives in the Microsoft Exchange Server mailbox.

1.4 Types of protection

There are three types of protection:

1.4.1 Antivirus protection

Antivirus protection is one of the basic functions of the ESET Mail Security product. Antivirus protection guards against malicious system attacks by controlling file, email and Internet communication. If a threat with malicious code is detected, the Antivirus module can eliminate it by blocking it and then cleaning, deleting or moving it to quarantine .

1.4.2 Antispam protection

Antispam protection integrates several technologies (RBL, DNSBL, Fingerprinting, Reputation checking, Content analysis, Bayesian filtering, Rules, Manual whitelisting/blacklisting, etc.) to achieve maximum detection of email threats. The antispam scanning engine’s output is the spam probability value of the given email message expressed as a percentage (0 to 100).

Another component of the antispam protection module is the Greylisting technique (disabled by default). The technique relies on the RFC 821 specification, which states that since SMTP is considered an unreliable transport, every message transfer agent (MTA) should repeatedly attempt to deliver an email after encountering a temporary delivery failure. A substantial part of spam consists of one-time deliveries (using specialized tools) to a bulk list of email addresses generated automatically. A server employing Greylisting calculates a control value (hash) for the envelope sender address, the envelope recipient address and the IP address of the sending MTA. If the server cannot find the control value for the triplet within its own database, it refuses to accept the message, returning a

temporary failure code (temporary failure, for example, 451). A legitimate server will attempt a redelivery of the

6

(7)

1.4.3 Application of user-defined rules

Protection based on user-defined rules is available for scanning with both the VSAPI and the transport agent. You can use the ESET Mail Security user interface to create individual rules that may also be combined. If one rule uses multiple conditions, the conditions will be linked using the logical operator AND. Consequently, the rule will be executed only if all its conditions are fullfilled. If multiple rules are created, the logical operator OR will be applied, meaning the program will run the first rule for which the conditions are met.

In the scanning sequence, the first technique used is greylisting - if it is enabled. Consequent procedures will always execute the following techniques: protection based on user-defined rules, followed by an antivirus scan and, lastly, an antispam scan.

1.5 User interface

ESET Mail Security has graphical user interface (GUI) designed to be as intuitive as possible. The GUI gives users quick and easy access to the main functions of the program.

In addition the main GUI, there is an advanced setup tree which is accessible from anywhere in the program by pressing the F5 key.

(8)

2. Installation

After purchasing ESET Mail Security, the installer can be downloaded from ESET’s website (www.eset.com) as an . msi package. Once you launch the installer, the installation wizard will guide you through the basic setup. There are two types of installation available with different levels of setup details:

1. Typical Installation 2. Custom Installation

NOTE: We highly recommend installing ESET Mail Security on a freshly installed and configured OS, if possible. However, if you do need to install it on an existing system, the best to do is to uninstall previous version of ESET Mail Security, restart the server and install the new ESET Mail Security 4.3 afterwards.

2.1 Typical Installation

Typical installation mode quickly installs ESET Mail Security with minimal configuration during the installation process. Typical installation is the default installation mode and is recommended if you do not have particular requirements for specific settings yet. After ESET Mail Security has been installed on your system, you can modify the options and configuration settings at any time. This user guide describes these settings and functionality in detail. The Typical installation mode settings provide excellent security coupled with ease of use and high system performance.

After selecting the installation mode and clicking Next, you will be prompted to enter your username and password. This plays a significant role in providing constant protection to your system, as your username and password allows automatic virus signature database Updates .

Enter the username and password, which you received after the purchase or registration of the product, into the corresponding fields. If you do not currently have your username and password available, it can be entered directly from the program at a later time.

In the next step - License Manager - Add the license file that was delivered via email after you purchased your product.

(9)

The next step is to configure the ThreatSense.Net Early Warning System. The ThreatSense.Net Early Warning System helps ensure that ESET is immediately and continuously informed about new infiltrations in order to quickly protect its customers. This system allows new threats to be submitted to ESET‘s Threat Lab, where they are

analyzed, processed and added to the virus signature database. By default, the Enable ThreatSense.Net Early Warning System option is selected. Click Advanced setup... to modify detailed settings about the submission of suspicious files.

The next step in the installation process is to configure Detection of potentially unwanted applications. Potentially unwanted applications are not necessarily malicious, but can often negatively affect the behavior of your operating system.

These applications are often bundled with other programs and may be difficult to notice during the installation process. Although these applications usually display a notification during installation, they can easily be installed without your consent.

Select the Enable detection of potentially unwanted applications option to allow ESET Mail Security to detect this type of threat (recommended). If you do not whish to use this functionality, select Disable detection of potentially unwanted applications.

The final step in Typical installation mode is to confirm the installation by clicking the Install button.

2.2 Custom Installation

Custom installation is designed for those who would like to configure ESET Mail Security during the during the installation process.

After selecting the installation mode and clicking Next, you will be prompted to select a destination location for the installation. By default, the program installs in C:\Program Files\ESET\ESET Mail Security. Click Browse… to change this location (not recommended).

(10)

In the next step - License Manager - Add the license file that was delivered via email after you purchased your product.

After entering your username and password, click Next to proceed to Configure your Internet connection. If you use a proxy server, it must be correctly configured for virus signature updates to work correctly. If you would like to have the proxy server configured automatically, select the default setting I am unsure if my Internet connection uses a proxy server. Use the same settings as Internet Explorer (Recommended) and click Next. If you do not use a proxy server, select the I do not use a proxy server option.

If you prefer to enter the proxy server details yourself, you can configure the proxy server settings manually. To configure your proxy server settings, select I use a proxy server and click Next. Enter the IP address or URL of your proxy server in the Address field. In the Port field, specify the port where the proxy server accepts connections (3128 by default). If your proxy server requires authentication, enter a valid Username and Password to grant access to the proxy server. Proxy server settings can also be copied from Internet Explorer if desired. Once the proxy server details are entered, click Apply and confirm the selection.

(11)

downloading program components. To download program component upgrades automatically, select the Always update program components option.

NOTE: After a program component update, a restart is usually required. We recommend selecting the Never restart computer option. The latest component updates will come into effect after the next server restart (whether it is scheduled , manual or otherwise). You can choose Offer computer restart if necessary if you would like to be reminded to restart the server after the components were updated. With this setting, you can restart the server right away or postpone the restart and perform it at a later time.

The next installation window offers the option to set a password to protect your program settings. Select the Protect configuration settings with a password option and choose a password to enter in the New password and Confirm new password fields.

The next two installation steps, ThreatSense.Net Early Warning System and Detection of potentially unwanted applications are the same as the Typical installation mode steps (see “Typical installation” ).

Click Install in the Ready to install window to complete installation.

2.3 Terminal Server

If you have installed ESET Mail Security on Windows Server that acts as a Terminal Server, you might want to disable the ESET Mail Security GUI to prevent it from starting up every time a user logs in. See the Disable GUI on Terminal Server chapter for specific steps to disable it.

2.4 Upgrading to a newer version

Newer versions of ESET Mail Security are issued to bring improvements or fix issues that cannot be resolved by automatic program module updates. Upgrading to a newer version can be done in one of several ways: 1. Automatically upgrade by means of a program component update (PCU)

Since program component updates are distributed to all users and may have an impact on certain system configurations, they are issued after a long period of testing to ensure a smooth upgrade process on all possible system configurations. If you need to upgrade to a newer version immediately after it has been released, use one of the following methods.

2. Manually upgrade by downloading and installing a new version over the previous installation

At the beginning of the installation, you can choose to preserve current program settings by selecting the Use current settings check box

76

8

(12)

3. Manually upgrade with automatic deployment in a network environment by means of ESET Remote Administrator;

2.5 Installation in a clustered environment

A cluster is a group of servers (a server connected to a cluster is called a "node") that work together as a single server. This type of environment provides high accessibility and reliability of available services. If one of the nodes in the cluster fails or becomes inaccessible, its functioning is automatically covered by another node in the cluster. ESET Mail Security fully supports Microsoft Exchange Servers connected in a cluster. In order for ESET Mail Security to function properly, it is important that each node in a cluster contains the same configuration. This can be achieved by applying a policy using ESET Remote Administrator (ERA). In the following chapters we will describe how to install and configure ESET Mail Security on servers in a clustered environment using ERA.

Installation

This chapter explains the push installation method; however this is not the only way to install a product on the target computer. For information on additional installation methods, refer to the ESET Remote Administrator User Guide.

1) Download the ESET Mail Security msi installation package from the ESET website to the computer where ERA is installed. In ERA > Remote Install tab > Computers, right-click on any computer from the list and choose Manage Packages from the context menu. In the Type drop-down menu, select ESET Security Products package and click Add... In the Source, locate the downloaded ESET Mail Security installation package and click Create.

2) In Edit/Select configuration associated with this package, click Edit and configure the settings of ESET Mail Security according to your needs. ESET Mail Security settings are in the following branches: ESET Smart Security, ESET NOD32 Antivirus > Mail server protection and Mail server protection for Microsoft Exchange Server. You may also set the parameters of other modules included in ESET Mail Security (e.g., Update module, Computer scan, etc.). We recommend exporting configured settings into an xml file which you can later use, e.g. when creating installation package, applying Configuration Task or a Policy.

3) Click Close. In the next dialog window (Do you want to save the package into server?) select Yes and type the name of the installation package. The finished installation package (including name and configuration) will be saved on the server. Most frequently, this package is used for a Push Installation, but it is also possible to save it as a standard msi installation package and use it for a direct installation on the server (in the Installation Packages Editor > Save As...).

4) Now that the installation package is ready, you can initiate the remote installation on the nodes within a cluster. In the ERA > Remote Install tab > Computers, select the nodes on which you want to install ESET Mail Security (Ctrl + Left-click or Shift + Left-click). Right-click on any of selected computers and select Push Installation from the context menu. Using the Set / Set All buttons, set the Username and Password of a user on the target

computer (this must be a user with administrator rights). Click Next to choose the installation package and initiate the remote installation process by clicking Finish. The installation package containing ESET Mail Security and custom configuration settings will be installed on selected target computers/nodes. After a short time, clients with ESET Mail Security will appear in the ERA > Clients tab. You may now manage the clients remotely.

NOTE: For a seamless remote installation process, it is necessary to fulfill certain conditions on the target computers as well as on the ERA Server. For further details, refer to the ESET Remote Administrator User Guide. Configuration

For ESET Mail Security to function correctly on the nodes within a cluster, the nodes must have the same

configuration at all times. This condition is met if you followed the push installation method above. However, there is a chance that the configuration will be changed by mistake, causing inconsistencies between ESET Mail Security products within a cluster. You can avoid this by using a policy in ERA. A policy is very similar to a standard

(13)

In ERA > Tools > Policy Manager... there is a number of options on how to use a policy. The easiest option is to use Default Parent Policy which also generally serves as Default policy for primary clients. This kind of policy is automatically applied to all currently connected clients (in this case, to all ESET Mail Security products within a cluster). You can configure the Policy by clicking Edit..., or use existing configuration saved in the xml file, if you have already created one.

The second option is to create a new policy (Add New Child Policy) and use the Add Clients... option to assign all ESET Mail Security products to this policy.

This configuration ensures a single policy with the same settings will be applied to all clients. If you wish to modify existing settings of an ESET Mail Security server within a cluster, it is sufficient to edit the current policy. Changes will be applied to all clients assigned to this policy.

NOTE: Refer to the ESET Remote Administrator User Guide for detailed information on policies.

2.6 License

A very important step is to enter the license file for ESET Mail Security for Microsoft Exchange Server. Without it, email protection on the Microsoft Exchange Server will not work properly. If you do not add the license file during installation, you can do so later in the advanced settings, under Miscellaneous > Licenses.

ESET Mail Security allows you to use several licenses simultaneously by merging them, as is described in the following:

1) Two or more licenses of one customer (i.e. licenses assigned to the same customer name) are merged and the number of scanned mailboxes increases accordingly. The license manager will continue to display both licenses. 2) Two or more licenses of different customers are merged. This occurs exactly the same way as in the first scenario

(point 1 above), with the only difference, that at least one of the licenses in question must have a special

attribute. That attribute is required to merge licenses of different customers. If you are interested in using such a license, ask your local distributor to generate it for you.

NOTE: Validity period of the newly created license is determined by the earliest expiration date from among its constituents.

(14)

To determine how many Exchange enabled mailboxes you have, open Active Directory users and computers on the server. Right-click on the domain and click Find.... Then from the Find drop-down menu select Custom search and click the Advanced tab. Paste in the following Lightweight Directory Access Protocol (LDAP) query and click Find Now:

(&(objectClass=user)(objectCategory=person)(mailNickname=*)(|(homeMDB=*)(msExchHomeServerName=*))(! (name=SystemMailbox{*))(!(name=CAS_{*))(msExchUserAccountControl=0)(!

userAccountControl:1.2.840.113556.1.4.803:=2))

If the number of mailboxes in your active directory exceeds your license count a message will be entered into your Microsoft Exchange Server log reading, "Protection status changed due to exceeded number of mailboxes (count) covered by your license (count)." Your ESET Mail Security will also notify you by changing its Protection status to

ORANGE and displaying a message informing you that you have 42 days left before your protection will be disabled. If you receive this notification, please contact your sales representative to purchase additional licenses.

(15)

2.7 Post-Installation Configuration

There are several options that have to be configured after the product installation. Antispam protection setup

This section describes the settings, methods and techniques you can use to protect your network from spam. We recommend reading the following instructions carefully before choosing the most suitable combination of settings for your network.

Spam management

To ensure a high level of Antispam protection you must set actions to be performed on messages already marked as SPAM.

There are three options available: 1. Deleting spam

The criteria for a message to be marked as SPAM by ESET Mail Security are set reasonably high, decreasing the chances of deleting legitimate email. The more specific the Antispam settings, the less likely it is to delete legitimate email. Advantages of this method include very low consumption of system resources and less

administration. The drawback of this method is that if a legitimate email is deleted, it cannot be restored locally. 2. Quarantine

This option excludes the risk of deleting legitimate email. Messages can be restored and resent to the original recipients immediately. The drawbacks of this method are higher consumption of system resources and additional time required for email quarantine maintenance. You can use two methods to quarantine email:

A. Internal Exchange Server quarantine (applies only to Microsoft Exchange Server 2007/2010):

- If you want to use the internal server quarantine, make sure the Common message quarantine field on the right pane in the advanced settings menu (under Server protection > Message quarantine) is left blank. Also make sure that the Quarantine message to the mail server system quarantine option is selected from the drop-down menu at the bottom. This method only works when the Exchange's internal quarantine exists. By default, this internal quarantine is not activated within Exchange. If you want to activate it, you need to open the Exchange Management Shell and type in following command:

Set-ContentFilterConfig -QuarantineMailbox [email protected]

(replace [email protected] by the actual mailbox you want Microsoft Exchange to use as an internal quarantine mailbox, e.g. [email protected]

B. Custom quarantine mailbox:

- If you type the desired mailbox in the Common message quarantine field, ESET Mail Security will move all new spam messages into your custom mailbox.

For further details regarding Quarantine and different methods, see chapter Message quarantine . 3. Forwarding spam

Spam will be forwarded along to its recipient. However, ESET Mail Security will fill in the relevant MIME header with the SCL value into each message. Based on the SCL value the relevant action will be executed by the Exchange server IMF (Intelligent Message Filtering).

Spam filtering Antispam Engine

The Antispam engine offers the three following configurations - Recommended, Most accurate and Fastest. If there is no need to optimize your configuration to allow maximum throughput (e.g. high server load), we

(16)

recommend you select the Most accurate option. When the Recommended configuration is set, the server will automatically adjust its settings based on scanned messages to balance the load. When Most accurate is enabled, the settings will be optimized in regard to the catch rate. Clicking Custom > Open configuration file allows a user to edit the spamcatcher.conf file. This option is recommended for advanced users only.

Before starting full operation, we recommend that you manually configure the lists of restricted and allowed IP addresses. To do so:

1) Open the Advanced settings window and navigate to the section Antispam protection. Make sure to check the Enable antispam server protection field.

2) Navigate to the section Antispam Engine.

3) Click the Setup... button to set Allowed, Ignored and Blocked IP addresses lists.

The Blocked IP addresses tab contains the list of restricted IP addresses, i.e., if any non-ignored IP in Received

headers matches the address on this list, the message scores 100 and no other checks are made.

The Allowed IP addresses tab lists all IP addresses that are approved, i.e., if the first non-ignored IP in

Received headers matches any address on this list, the message scores 0 and no other checks are made.

The Ignored IP addresses tab lists addresses that should be ignored during Real-time Blackhole List (RBL)

checks. The list should include all internal IP addresses in the firewall not directly accessible from the Internet.

Doing so prevents unnecessary checks and helps to differentiate the external connecting IP addresses from the internal IP addresses.

Greylisting

Greylisting is a method protecting users from spam using the following technique: Transport agent sends a

“temporarily reject” SMTP return value (default is 451/4.7.1) for any email from a sender it does not recognize. A

legitimate server will attempt to redeliver the message. Spammers typically do not attempt to redeliver messages, because they go through thousands of email addresses at a time and typically cannot spend extra time on

resending.

When evaluating the message source, the method takes into account the configurations of the Approved IP addresses list, the Ignored IP addresses list, the Safe Senders and Allow IP lists on the Exchange server and the AntispamBypass settings for the recipient mailbox. Greylisting must be thoroughly configured, or else unwanted operational flaws (e.g. delays in legitimate message deliveries etc.) may occur. These negative effects recede continuously as this method fills the internal whitelist with trusted connections. If you are not familiar with this method, or if you consider its negative side-effect unacceptable, we recommend that you disable the method in the Advanced settings menu under Antispam protection > Microsoft Exchange Server > Transport agent > Enable Greylisting.

We recommend disabling greylisting if you intend to test the product's basic functionalities and do not want to configure the advanced features of the program.

NOTE: Greylisting is an additional layer of antispam protection and does not have any effect on the spam evaluation capabilities of the antispam module.

Antivirus protection setup Quarantine

Depending on the type of cleaning mode you are using, we recommend that you configure an action to be performed on infected (not cleaned) messages. This option can be set in the Advanced settings window Server protection > Antivirus and antispyware > Microsoft Exchange Server > Transport agent.

If the option to move messages into email quarantine is enabled, you need to configure the quarantine under Server protection > Message quarantine in the Advanced settings window.

(17)

Performance

If there are no other restrictions, our recommendation is to increase the number of ThreatSense scan engines in the Advanced settings window (F5) under Server protection > Antivirus and antispyware > Microsoft Exchange Server > VSAPI > Performance, according to this formula: number of scan threads = (number of physical CPUs x 2) + 1. Also, the number of scan threads should be equal to the number of ThreatSense scan engines. You can configure the number of scan engines under Computer protection > Antivirus and antispyware > Performance. Here is an example:

Let's say you have a server with 4 physical CPUs. For the best performance, according to formula above, you should have 9 scan threads and 9 scan engines.

NOTE: We recommend that you set the number of ThreatSense scan engines equal to the number of scan threads used. It will have no effect on performance when you use more scan threads than scan engines.

NOTE: If you are using ESET Mail Security on a Windows Server that acts as a Terminal Server and do not want the ESET Mail Security GUI to start up every time a user logs in, see the Disable GUI on Terminal Server chapter for specific steps to disable it.

(18)

3. ESET Mail Security - Microsoft Exchange Server protection

ESET Mail Security provides significant protection for your Microsoft Exchange Server. There are three essential types of protection: Antivirus, Antispam and the application of user-defined rules. ESET Mail Security protects from various types of malware content, including email attachments infected by worms or trojans, documents

containing harmful scripts, phishing and spam. ESET Mail Security filters out the malicious content on the mail server level, before it arrives in the recipient's email client inbox. Following chapters describe all the options and settings available to you in order to fine-tune your Microsoft Exchange Server protection.

3.1 General settings

This section describes how to administer rules, log files, message quarantine and performance parameters.

3.1.1 Microsoft Exchange Server

3.1.1.1 VSAPI (Virus-Scanning Application Programming Interface)

Microsoft Exchange Server provides a mechanism to make sure that every message component is scanned against the current virus signature database. If a message component is not scanned, its corresponding component is submitted to the scanner before the message is released to the client. Every supported version of Microsoft Exchange Server (5.5/2000/2003/2007/2010) offers a different version of VSAPI.

Use the checkbox to enable/disable the automatic startup of the VSAPI version used by your Exchange server.

3.1.1.2 Transport Agent

In this section, you can configure the transport agent to automatically start and set the agent loading priority. On Microsoft Exchange Server 2007 and later, it is only possible to install a transport agent if the server is in one of two roles: Edge Transport or Hub Transport.

NOTE: The Transport agent is not available in Microsoft Exchange Server 5.5 (VSAPI 1.0).

(19)

characteristics of the message header, its subject, content, etc.). A rating of 0 indicates that the message is highly unlikely to be spam, while a rating of 9 indicates that the message is very likely spam. SCL values can be processed further by the Microsoft Exchange Server's Intelligent Message Filter (or Content Filter Agent). For additional information, please refer to the Microsoft Exchange Server documentation.

The When deleting messages, send SMTP reject response option:

If unchecked, the server sends an OK SMTP response to the sender’s Mail Transfer Agent (MTA) in the format ‘250 2.5.0 – Requested mail action okay, completed’ and then performs a silent drop.

If checked, an SMTP reject response is sent back to the sender’s MTA. You can type a response message in the following format:

Primary response code Complementary status code Description

250 2.5.0 Requested mail action okay, completed

451 4.5.1 Requested action aborted: local error in processing

550 5.5.0 Requested action not taken: mailbox unavailable

Warning: Incorrect syntax of the SMTP response codes can lead to program components malfunctioning and a

decrease in effectiveness.

NOTE: You can also use system variables when configuring SMTP Reject Responses.

3.1.2 Rules

The Rules menu item allows administrators to manually define email filtering conditions and actions to take with filtered emails. The rules are applied according to a set of combined conditions. Multiple conditions are combined with the logical operator AND, applying the rule only if all the conditions are met. The Number column (next to each rule name) displays the number of times the rule was successfully applied.

(20)

Add... - adds a new rule

Edit... - modifies an existing rule Remove - removes a selected rule

Clear - clears the rule counter (the Number column) Move up - moves a selected rule up in the list Move down - moves a selected rule down in the list

Unchecking a check box (to the left of each rule name) deactivates current rule. This allows for the rule to be reactivated again if needed.

NOTE: You can also use system variables (e.g., %PATHEXT%) when configuring Rules.

NOTE: If a new rule has been added or an existing rule has been modified, a message rescan will automatically start using the new/modified rules.

3.1.2.1 Adding new rules

This wizard guides you through adding user-specified rules with combined conditions.

NOTE: Not all of the conditions are applicable when the message is scanned by the transport agent. By target mailbox applies to the name of a mailbox (VSAPI)

By message recipient applies to a message sent to a specified recipient (VSAPI + TA) By message sender applies to a message sent by a specified sender (VSAPI + TA) By message subject applies to a message with a specified subject line (VSAPI + TA) By message body applies to a message with specific text in the message body (VSAPI) By attachment name applies to a message with a specific attachment name (VSAPI)

By attachment size applies to a message with an attachment exceeding a defined size (VSAPI)

By frequency of occurrence applies to objects (email body or attachment) where the number of occurrences within the specified time interval exceeds the specified number (VSAPI + TA). This is particularly useful if you are constantly spammed with emails with the same email body or the same attachment.

When specifying the conditions above (except the By attachment size condition), it is sufficient to fill in only part of a phrase as long as the Match whole words option is not selected. Values are not case-sensitive, unless the Match case option is selected. If you are using values other than alphanumerical characters, use parentheses and quotes. You can also create conditions using the logical operators AND, OR and NOT.

NOTE: The list of available rules depends on installed version of Microsoft Exchange Server.

(21)

By email sender: [email protected]

By email recipient: “J.Smith” or “[email protected]” By email subject: “ ”

By attachment name: “.com” OR “.exe”

By email body: (“free” OR “lottery”) AND (“win” OR “buy”)

3.1.2.2 Actions taken when applying rules

This section allows you to select actions to take with messages and/or attachments matching conditions defined in rules. You can take no action, mark the message as if it contained a threat/spam or delete the whole message. When a message or its attachment matches the rule conditions, it is not scanned by the antivirus or antispam modules by default, unless scanning is enabled explicitly by selecting the respective check boxes at the bottom (the action taken then depends on the antivirus/antispam settings).

No action – no action will be taken with the message

Take action for uncleaned threat - the message will be marked as if it contained an uncleaned threat (regardless of whether it contained the threat or not)

Take action for unsolicited email - the message will be marked as if it were a spam (regardless of whether it is spam or not). This option is not available if you are using ESET Mail Security without Antispam module.

Delete message – removes the entire message with content that meets the conditions Quarantine file - quarantines the attachments

NOTE: Do not confuse this with mail quarantine (see chapter Message quarantine ) Submit file for analysis - sends suspicious attachments to ESET’s lab for analysis

Send event notification - sends a notification to the administrator (based on settings in Tools > Alerts and notifications)

Log - writes information about the applied rule to the program log

Evaluate other rules - allows the evaluation of other rules, enabling the user to define multiple sets of conditions and multiple actions to take, given the conditions

Scan by antivirus and antispyware protection - scans the message and its attachments for threats Scan by antispam protection - scans the message for spam

NOTE: This option is available only in Microsoft Exchange Server 2000 and later with the transport agent turned on.

The last step in the new rule creation wizard is to name each created rule. You can also add a Rule comment. This information will be stored in the Microsoft Exchange Server log.

(22)

3.1.3 Log files

Log files settings let you choose how the log file will be assembled. More detailed protocol can contain more information but it may slow server performance.

If Synchronized writing without using cache is enabled, all the log entries will be immediately written in the log file without being stored in the log cache. By default, ESET Mail Security components running in Microsoft

Exchange Server store log messages in their internal cache and send them to the application log at periodic time intervals to preserve performance. In this case, however, the diagnostic entries in the log might not be in the proper order. We recommend keeping this setting turned off unless it is necessary for diagnostics. You can specify the type of information stored in the log files in the Content menu.

Log rule application - when this option is enabled, ESET Mail Security writes the name of all activated rules into the log file.

Log spam score - use this option to have spam related activity written to Antispam log . When the mail server receives a SPAM message, information about this is written into the log providing details such as the Time/Date, Sender, Recipient, Subject, SPAM Score, Reason and Action. This is useful when you need to track down what SPAM messages were received, when and what action was taken.

Log Greylisting activity - enable this option if you want to have Greylisting related activity written into the Greylisting log . It provides information such as Time/Date, HELO Domain, IP address, Sender, Recipient, Action, etc.

NOTE: This option works only when Greylisting is enabled within Transport agent options under Server protection > Antispam protection > Microsoft Exchange Server > Transport agent in the advanced setup tree (F5).

Log performance - logs information about the time interval of a performed task, size of the scanned object, transfer rate (kb/s) and performance rating.

Log diagnostic information - logs diagnostic information needed for fine-tuning of the program to the protocol; this option is mostly for debugging and identifying problems. Having this option turned on is not recommended. To see diagnostic information provided by this function, you will have to set the Minimum logging verbosity to Diagnostic records in the Tools > Log files > Minimum logging verbosity setting.

80

(23)

3.1.4 Message quarantine

The Message quarantine is a special mailbox defined by the system administrator to store potentially infected messages and SPAM. Messages stored in quarantine can be analyzed or cleaned later using a newer virus signature database.

There are two types of message quarantine systems that can be used.

One option is to use the Microsoft Exchange quarantine system (this applies only to Microsoft Exchange Server 2007/2010). In this case, the Exchange's internal mechanism is used to store potentially infected messages and SPAM. Additionally, you can add a separate quarantine mailbox (or number of mailboxes) for specific recipients if needed. This means that potentially infected messages, which were originally sent to a specific recipient, will be delivered to separate quarantine mailbox instead of being delivered to Exchange's internal quarantine mailbox. This might be useful in some cases to keep potentially infected messages and SPAM more organized.

Other option is to use Common message quarantine. If you are using an earlier version of Microsoft Exchange Server (5.5, 2000 or 2003), then you simply specify Common message quarantine, which is a mailbox that will be used to store potentially infected messages. In this case, Exchange's internal quarantine system is not used. Instead, a mailbox specified by the system administrator is used for this purpose. As with the first option, you can add a separate quarantine mailbox (or number of mailboxes) for specific recipients. The result is that potentially infected messages are delivered to a separate mailbox instead of being delivered to common message quarantine.

Common message quarantine - you can specify common message quarantine address here (e.g.

[email protected]), or you can use the Microsoft Exchange Server 2007/2010 internal quarantine system instead by leaving this field blank and choosing Quarantine message to the mail server system

quarantine (provided that the Exchange quarantine exists in your environment) from the drop-down menu at the bottom. Emails are then delivered to quarantine by Exchange's internal mechanism using its own settings. NOTE: By default, this internal quarantine is not activated within Exchange. If you want to activate it, you need to open Exchange Management Shell and type in following command:

Set-ContentFilterConfig -QuarantineMailbox [email protected]

(24)

Message quarantine by recipient - by using this option, you can define message quarantine mailboxes for multiple recipients. Every quarantine rule can be enabled or disabled by checking or unchecking the check box in its row.

Add... - you can add a new quarantine rule by entering the desired recipient's email address and the quarantine email address to which mail will be forwarded

Edit... - edit a selected quarantine rule Remove - remove a selected quarantine rule

Prefer common message quarantine - when enabled, a message will be delivered to the specified common quarantine if more than one quarantine rule is met (e.g., if a message has multiple recipients and some of them are defined in multiple quarantine rules)

Message intended for non-existing message quarantine (if you did not specify a common message

quarantine, you have following options as to what action will be taken on possibly infected messages and SPAM) No action - a message will be processed in a standard way - delivered to the recipient (not recommended) Delete message - a message will be deleted if it is addressed to a recipient with no existing quarantine rule and a common message quarantine is not specified, this means that all possibly infected messages and SPAM will be automatically deleted without being stored anywhere

Quarantine message to the mail server system quarantine - a message will be delivered to and stored in the Exchange's internal system quarantine (not available for Microsoft Exchange Server 2003 and earlier)

NOTE: You can also use system variables (e.g., %USERNAME%) when configuring Message Quarantine settings.

3.1.4.1 Adding a new quarantine rule

Enter the desired Recipient’s email address and the desired Quarantine email address in the appropriate fields. If you want to delete an email message addressed to a recipient who does not have a quarantine rule applied, you can select the Delete message option in the Message intended for non-existing message quarantine: pull-down menu.

3.1.5 Performance

In this section, you can define a folder to store temporary files in, in order to improve program performance. If no folder is specified, ESET Mail Security will create temporary files in the system’s temporary folder.

NOTE: In order to reduce the potential I/O and fragmentation impact, we recommend placing the Temporary folder on a different hard drive than the one on which Microsoft Exchange Server is installed. We strongly

(25)

3.2 Antivirus and antispyware settings

You can enable antivirus and antispyware mail server protection by selecting the Enable antivirus and

antispyware server protection option. Note that antivirus and antispyware protection is turned on automatically after every restart of the service/computer. ThreatSense engine parameter setup is accessible by clicking on the Setup… button.

3.2.1 Microsoft Exchange Server

When it comes to antivirus and antispyware protection, ESET Mail Security for Microsoft Exchange Server uses two types of scanning. One type scans messages via VSAPI and the other uses Transport Agent.

Protection using VSAPI scans messages directly within the Exchange server store.

Transport Agent protection scans SMTP traffic instead of the Exchange server store itself. If this type of protection is enabled, it means that all the messages and their components are being scanned during

transportation, even before it reaches the Exchange server store or before it is sent out via SMTP. SMTP server-level filtering is secured by a specialized plugin. In Microsoft Exchange Server 2000 and 2003, the plugin in question (Event Sink) is registered on the SMTP server as a part of Internet Information Services (IIS). In Microsoft Exchange Server 2007/2010, the plugin is registered as a transport agent on the Edge or the Hub roles of the Microsoft Exchange Server.

NOTE: Transport agent is not available in Microsoft Exchange Server 5.5, however it is available in all newer Microsoft Exchange Server versions (from version 2000 onwards).

You can have VSAPI and Transport agent antivirus and antispyware protection working at the same time (this is the default and recommended configuration). Alternatively, you can choose to use only one type of protection (either VSAPI or Transport agent). They can be enabled or disabled independently of each other. We recommend using both types to ensure maximum antivirus and antispyware protection. We do not recommend having both disabled.

26

(26)

3.2.1.1 Virus-Scanning Application Programming Interface (VSAPI)

Microsoft Exchange Server provides a mechanism to make sure that every message component is scanned against the current virus signature database. If a message was not previously scanned, its corresponding components are submitted to the scanner before the message is released to the client. Every supported version of Microsoft Exchange Server (5.5/2000/2003/2007/2010) offers a different version of VSAPI.

3.2.1.1.1 Microsoft Exchange Server 5.5 (VSAPI 1.0)

This version of Microsoft Exchange Server includes VSAPI version 1.0.

If the Background scanning option is enabled, it allows for scanning of all messages in the system background. Microsoft Exchange Server decides whether a background scan will run or not, based on various factors, such as the current system load, the number of active users, etc. Microsoft Exchange Server keeps a record of scanned

messages and the virus signature database version used. If you are opening a message that has not been scanned by the most current virus signature database, Microsoft Exchange Server sends the message to ESET Mail Security to be scanned before opening the message in your email client.

Since background scanning can affect system load (scanning is performed after each virus signature database update), we recommend using scheduled scanning outside working hours. Scheduled background scanning can be configured via a special task in the Scheduler/Planner. When you schedule a Background scanning task you can set the launch time, the number of repetitions and other parameters available in the Scheduler/Planner. After the task has been scheduled, it will appear in the list of scheduled tasks and, as with the other tasks, you can modify its parameters, delete it or temporarily deactivate the task.

3.2.1.1.1.1 Actions

In this section you can specify the actions to be performed when a message and/or attachment is evaluated as infected.

The Action to take if cleaning not possible field allows you to Block infected content, Delete the message or take No action on the infected content of the message. This action will be applied only if the automatic cleaning

(defined in ThreatSense engine parameter setup > Cleaning ) did not clean the message. The Deletion field allows you to set Attachment deletion method to either of these options:

Truncate file to zero length – ESET Mail Security truncates the attachment to zero size and lets the recipient see the attachment file name and type

Replace attachment with action information – ESET Mail Security replaces the infected file with a virus protocol or rule description

By clicking the Rescan button you will run another scan on messages and files that have already been scanned before.

3.2.1.1.1.2 Performance

During a scan, Microsoft Exchange Server allows you to limit a time for opening message attachments. This time is set in the Response time limit (ms) field and represents the period after which the client will retry accessing the file that had previously been inaccessible due to scanning.

3.2.1.1.2 Microsoft Exchange Server 2000 (VSAPI 2.0)

If you uncheck the Enable antivirus and antispyware VSAPI 2.0 protection option, the ESET Mail Security plug-in for Exchange server will not get unloaded from the Microsoft Exchange server process. It will only pass through the messages without scanning for viruses. The messages however, will still be scanned for spam and the rules will be applied.

If the Proactive scanning option is enabled, new inbound messages will be scanned in the same order in which they were received. If this option is enabled and a user opens a message that has not been scanned yet, this message will be scanned before the other messages in the queue.

62

(27)

Server decides whether a background scan will run or not, based on various factors, such as the current system load, the number of active users, etc. Microsoft Exchange Server keeps a record of scanned messages and the virus signature database version used. If you are opening a message that has not been scanned by the most current virus signature database, Microsoft Exchange Server sends the message to ESET Mail Security to be scanned before opening the message in your email client.

Since background scanning can affect system load (scanning is performed after each virus signature database update), we recommend using scheduled scanning outside working hours. Scheduled background scanning can be configured via a special task in the Scheduler/Planner. When you schedule a Background scanning task you can set the launch time, the number of repetitions and other parameters available in the Scheduler/Planner. After the task has been scheduled, it will appear in the list of scheduled tasks and as with the other tasks, you can modify its parameters, delete it or temporarily deactivate the task.

If you want to scan plain text messages, select the Scan plain text message bodies option.

Enabling the Scan RTF message bodies option activates scanning of RTF message bodies. The RTF message bodies may contain macro viruses.

3.2.1.1.2.1 Actions

The Action to take if cleaning not possible field allows you to Block infected content, Delete the message or take No action on the infected content of the message. This action will be applied only if the automatic cleaning

(defined in ThreatSense engine parameter setup > Cleaning ) did not clean the message.

The Deletion option allows you set Message deletion method and Attachment deletion method. You can set Message deletion method to:

Delete message body – delete the body of the infected message; the recipient will receive an empty message and any non-infected attachments

Rewrite message body with action information – rewrite the body of the infected message with information about performed actions

You can set Attachment deletion method to:

In this section you can set the number of independent scan threads used at a single time. More threads on multiprocessor machines can increase the scan rate. For the best program performance we advise using an equal number of ThreatSense scan engines and scan threads.

The Response time limit (sec.) allows you to set the maximum amount of time a thread waits for a message scan to complete. If the scan is not finished within this time limit, Microsoft Exchange Server will deny the client access to the email. Scanning will not be interrupted and, after it is finished, every other attempt to access the file will be successful.

TIP: To determine the Number of scan threads the Microsoft Exchange Server provider recommends, use the following formula: [number of physical processors] x 2 + 1.

NOTE: Performance is not improved significantly if there are more ThreatSense scanning engines than scanning threads.

(28)

3.2.1.1.3 Microsoft Exchange Server 2003 (VSAPI 2.5)

If you uncheck the Enable antivirus and antispyware VSAPI 2.5 protection option, the ESET Mail Security plug-in for Exchange server will not get unloaded from the Microsoft Exchange server process. It will only pass through the messages without scanning for viruses. The messages however, will still be scanned for spam and the rules will be applied.

The Background scanning option allows scanning of all messages in the system background. Microsoft Exchange Server decides whether a background scan will run or not, based on various factors, such as the current system load, the number of active users, etc. Microsoft Exchange Server keeps a record of scanned messages and the virus signature database version used. If you are opening a message that has not been scanned by the most current virus signature database, Microsoft Exchange Server sends the message to ESET Mail Security to be scanned before opening the message in your email client.

Enabling the Scan RTF message bodies option activates scanning of RTF message bodies. The RTF message bodies may contain macro viruses.

The Scan transported messages option enables scanning of messages which are not stored on the local Microsoft Exchange Server and are being delivered to other email servers through the local Microsoft Exchange Server. The Microsoft Exchange Server can be configured as a gateway which then passes messages to other email servers. If scanning for transported messages is enabled, ESET Mail Security also scans these messages. This option is only available when the transport agent is disabled.

NOTE: Plain text email bodies are not scanned by VSAPI.

3.2.1.1.3.1 Actions

The Action to take if cleaning not possible field allows you to Block infected content, Delete infected content of the message, Delete whole message including infected content or take No action. This action will be applied only if the automatic cleaning (defined in ThreatSense engine parameter setup > Cleaning ) did not clean the message.

The Deletion option allows you set Message deletion method and Attachment deletion method. You can set Message deletion method to:

Delete message body – delete the body of the infected message; the recipient will receive an empty message and any non-infected attachments

Rewrite message body with action information – rewrite the body of the infected message with information about performed actions

Delete whole message – delete the entire message, including attachments; you can set what action should be performed when deleting attachments

35 19

(29)

You can set Attachment deletion method to:

Delete whole message – delete the entire message, including attachments; you can set what action should be performed when deleting attachments

In this section you can set the number of independent scan threads used at a single time. More threads on multiprocessor machines can increase the scan rate. For the best program performance we advise using an equal number of ThreatSense scan engines and scan threads.

The Response time limit (sec.) allows you to set the maximum amount of time a thread waits for a message scan to complete. If the scan is not finished within this time limit, Microsoft Exchange Server will deny the client access to the email. Scanning will not be interrupted and, after it is finished, every other attempt to access the file will be successful.

TIP: To determine the Number of scan threads the Microsoft Exchange Server provider recommends, use the following formula: [number of physical processors] x 2 + 1.

NOTE: Performance is not improved significantly if there are more ThreatSense scanning engines than scanning threads.

3.2.1.1.4 Microsoft Exchange Server 2007/2010 (VSAPI 2.6)

If you uncheck the Enable antivirus and antispyware protection VSAPI 2.6 option, the ESET Mail Security plug-in for Exchange server will not get unloaded from the Microsoft Exchange server process. It will only pass through the messages without scanning for viruses. The messages however, will still be scanned for spam and the rules will be applied.

The Background scanning option allows scanning of all messages in the system background. Microsoft Exchange Server decides whether a background scan will run or not, based on various factors, such as the current system load, the number of active users, etc. Microsoft Exchange Server keeps a record of scanned messages and the virus signature database version used. If you are opening a message that has not been scanned by the most current virus signature database, Microsoft Exchange Server sends the message to ESET Mail Security to be scanned before opening the message in your email client. You can choose to Scan only messages with attachment and filter based on time received with the following Scan level options:

All messages

Messages received within last year Messages received within last 6 months Messages received within last 3 months Messages received within last months Messages received within last week

ESET Mail Security 4. for Microsoft Exchange Server Version 4.3. Installation Manual and User Guide. Microsoft Windows Server 2000 / 2003 / 2008

ESET

Mail Security 4

for Microsoft Exchange Server

Version 4.3

Installation Manual and User Guide

ESET

Mail Security 4

Contents

...5

Introduction

1.

...8

Installation

2.

...18

ESET Mail Security - Microsoft Exchange

Server protection

3.

...45

ESET Mail Security - Server protection

4.

...110

Glossary

5.

1. Introduction

1.1 What's new in version 4.3 ?

1.2 System requirements

1.3 Methods used

1.4 Types of protection

1.5 User interface

2. Installation

2.1 Typical Installation

2.2 Custom Installation

2.3 Terminal Server

2.4 Upgrading to a newer version

2.5 Installation in a clustered environment

2.6 License

2.7 Post-Installation Configuration

3. ESET Mail Security - Microsoft Exchange Server protection

3.1 General settings

3.2 Antivirus and antispyware settings